Conducting an External Vulnerability Assessment

A privately held Consumer Goods Manufacturer (CGM) was a Top 15-ranked business by Forbes in 2009. Despite the comparatively scant amounts of data due to CGM’s corporate financial structure, TSC has identified several potential vulnerabilities with significant potential impact. Open-source documents reveal that the CGM has a varied and expansive business footprint. It is within that footprint that TSC analysts found several key potential vulnerabilities that exist in a Chinese joint venture and website security.

The problem

This CGM has been in high-growth mode in locations outside the United States to take advantage of economically advantageous manufacturing, and new markets for their products. Like many organizations doing business in foreign markets, however, the CGM is unclear on whether its relationships and strategies in some markets are proving to be detrimental to overall market share and opportunity.

As most organizations do, CGM has established trade agreements, put in place non-disclosure agreements (NDA’s), and uses typical security technology solutions. They considered this satisfactory to protect their processes and market share.

The assessment

Tailored Solutions and Consulting analyzed the problemusing a small team of employees, each with a background in identifying security vulnerabilities, protecting national interests, and commercial security protocol. One team member is a fluent Chinese speaker who analyzed Chinese-language websites, a key component of this report.

The Chinese language has more than 80,000 characters, with approximately 4,000 of them the most actively used. Such an expansive language allows for native speakers to choose combination of characters that very distinctly describes something with little to no room for ambiguity. It is important for the reader to understand the precise nature with which a native Chinese speaker would choose their words when saying anything, let alone publishing a document to the Internet.

Joint venture assessment

Chinese Ownership: CGM entered into a Joint Venture (JV) with French Company (FC). The JV is called PDQ Co. Ltd (PDQ). Statements on various Chinese and English language websites indicate that it is a 50-50 JV with no Chinese ownership stake. Further research indicated that FC first initiated its venture into China in the 1990s as a sole-foreign owned enterprise.

Typically, the lack of Chinese ownership is a warning sign for TSC analysts. While it's true that many U.S. and European giants were compelled to seek local JV partners, FC set up shop following the Chinese “economic development” charter; where the Chinese government permitted foreign companies to be wholly foreign invested, meaning they could do business without a Chinese partner.

As background, even large corporate giants such as McDonald’s, KFC, DANONE and Coca-Cola were only allowed into the Chinese market as part of cooperative relationships with Chinese counterparts. McDonald’s partnered with the Beijing Agricultural, Industrial, and Commercial Federal Corp. Coca-Cola established JV’s indirectly through Hong Kong-based companies Swire Beverages and Kerry Group. They also have a beverage concentrate company that is a JV with a similar facility in Tianjin. Coca-Cola’s first bottling company in China was a JV in Zhuhai with the former Ministry of Light Industry (now State Light Industry Bureau/SLIB under the State Economic and Trade Commission). KFC set up in China via ties with the Ministry of Light Industry and the Beijing Corporation of Animal Production, a Beijing city government-controlled producer of chickens. DANONE Group of France was a 51percent owner with a Chinese company in Wahaha Group, a large juice beverage maker.

There are countless other examples of non-Chinese companies setting up operations inside China only after agreeing to partner with domestic companies. FC’s ability to enter China without that stipulation is an extremely strong indicator that they had/have a relationship with a high-level official in China who would have allowed them to bypass this almost iron-clad “cost” of doing business inside the country. Based on similar business cases that TSC is familiar with, it is likely that FC had or developed a relationship with a high ranking official in the Industrial Development Area (EDA) and/or the local/regional government. Those relationships can involve paying a fee to a Chinese official(s) to allow the new company to be solely foreign owned. In addition, it would be expected that there remain ongoing and regular payments carved out of the operation’s yearly profits in order to keep the arrangement current. The alternative, that FC was allowed to set-up PDQ without any financial arrangements with a Chinese official or entity, is virtually impossible.

Chinese Under-reporting: TSC believes that a likely offshoot of the above scenario is that FC uses the 2007 agreement with CGM as a means to lessen or remove the financial burden of the fee that they furnish to their Chinese contact. The JV may underreport revenue in an amount equal to the yearly payment or, more likely, over-report costs to cover the payment. For example, if the yearly payment to the Chinese Official is $500,000 (U.S.), PDQ could simply indicate that there was expenditure of X+ 500K in an area difficult to track. TSC believes that “soft money” expenditures such as maintenance, travel, advertising or marketing would be likely areas where the fee is carved out. Of course, safeguards such as CGM representatives in China and financial audits of the operations would make such a scenario more difficult to manage. However, in all open-source research conducted, TSC was unable to identify even one individual whose name is not, on its surface, ethnic Chinese. Without a dedicated and loyal CGM presence, the likelihood of financial skimming and intellectual property theft are exponentially increased. Although it is possible that either CGM or FC or both have a constant presence at the facility, even a lone individual could easily be misled or shielded from the truth, especially should there be any significant language proficiency barriers. Regardless, TSC strongly suggests further investigation and safeguarding against this likely scenario.

Chinese Long-term Manufacturing Strategy: In its short history of allowing foreign manufacturing investment inside its borders, China has repeatedly taken the long-term strategy of copying the layout, process and machinery inside a facility. They then take their newly “acquired” knowledge and open a competing enterprise where 100 percent of the profit remains within China.

Chinese JV strategy: TSC was able to find some initial data indicating that a similar long-term strategy may have begun with the CGM-FC JV in China. A Chinese-language website for the Tianjin University of Science and Engineering Research Institute of Food product reveals a March visit by the PDQ JV management. According to the document, the topic discussed during the visit was a review of “recent years in food product processing technical cooperation.” The management team and professors observed “the teachers design and manufacture their own food product equipment” utilizing techniques and processes developed over the past several years. The two sides also discussed in-depth technical cooperation for the future. The Chinese characters used to describe the relationship indicate an on-going, long-term cooperation strategy. According to the press release, there has already been and continues to be cooperation in the manufacture of food product equipment as well as an exchange of expertise between the two entities. This is an enormous warning sign that needs immediate exploration.

Warning Signs through Language: The TSC analyst assigned to this report noted several troublesome descriptions of PDQ, CGM and the JV found on various Chinese-language websites and press releases. For example, a translation on the PDQ website from the Chinese states that they have been able to achieve success with the aid of two international companies. They have taken advantage of and borrowed resources from these companies in order to build their own success. There is no mention of foreign-ownership nor the JV in general. The reader is led to assume that PDQ is a separate entity of Chinese origin. The use of terms “borrow” and “taken advantage of” are deliberate and are not errors in translation. One possible explanation is that PDQ wants Chinese citizens who visit the website to believe it is a purely Chinese operation and whose success they can take national pride in. However, combined with other information in this report and numerous similar case studies, it is also possible that the Chinese view PDQ as their own, whether now or in the future through a competing facility or company.

Hiring: Job announcements on Chinese websites indicate that over the past several months PDQ is hiring for multiple positions ranging from marketing assistants to a general manager position in Beijing. These job postings beg the question if CGM is seeing increases in revenue commensurate with such a potential PDQ expansion.

Proprietary Technology/Equipment: Chinese language documents highlighting CGM’s inclusion in the JV with FC specifically note that one of the values CGM brings to the relationship is its superior manufacturing technology and expertise. This leads TSC analysts to surmise that as part of the agreement, CGM exported manufacturing equipment for PDQ’s use or shared proprietary technologies within limits. TSC believes that the danger to CGM’s long-term expansion into Asia and eventually beyond would be exacerbated by the presence of their manufacturing equipment in the production facility. Without stringent controls and oversight, it would be in line with Chinese strategy to copy the machinery and attempt to duplicate it. Combined with the curious wording mentioned earlier regarding food product manufacturing equipment, TSC believes it would be prudent for CGM to reevaluate its current arrangement in regards to the equipment and CGM representation at the plant.

Website assessment

Vulnerable Sites: During routine, passive reviews of the CGM website, TSC analysts were able to access areas that should likely be restricted. The documents appear to be Oracle-related, possibly showing the operating sequences to run the backend database. More than 40 total pages of code were readily available via multiple mediums on the Internet. Someone with malicious intent could, in conjunction with other access, cripple CGM business through faulty orders, prices, deliveries, etc.

Vulnerable Information: An often times overlooked yet equally vulnerable penetration point for a commercial company is the network of its suppliers, vendors, distributors and customers. During basic, open-source and passive searches for CGM information on non-CGM websites, TSC analysts uncovered specific pricing information. The prices appear to include what CGM charged the customer for dozens of items as well as a column indicating what the customer then added into the price for resale. TSC believes that it is crucial that CGM conduct an extensive review of all vendors and suppliers to assure that such confidential information is secure. A potential competitor, especially one set-up in a foreign country with cheaper labor, would be ecstatic to learn CGM’s price to a distributor and then undercut it.

TSC’s experience in protecting national interests reinforces our belief that a competitor or malicious actor will always seek the path of least resistance. In this instance, that path could be through a medium ostensibly out of CGM’s control yet holds the potential for substantive damage to CGM’s interests. TSC discovered the data from just one of CGM’s many suppliers/ vendors/redistributors, all of whom could be potentially and unknowingly leaking similar sensitive price information.

TSC’s experience in the corporate security and industrial espionage world, paired with a history of protecting national interests, gives us a unique perspective when conducting analysis of a U.S. company’s security posture. Specifically, international operations are prone to financial skimming and corporate theft of intellectual property. It is TSC’s professional opinion that CGM has several current areas warranting immediate attention and further investigation. Under the 863 program, otherwise known as the State High-Tech Development Plan, China has made no secret of the fact that it intends to skip generations of R&D costs by partnering with foreign companies and copying their techniques and technologies. Further complicating the problem is the aggressive manner in which the Chinese respond to such allegations. TSC strongly recommends CGM to immediately address these potential vulnerabilities before losses cannot be recuperated.

The TSC process during initial engagements includes conducting open-source research and analysis of CGM. All data used in production of this report was retrieved from openly available sources. Collection from these sources was done following all pertinent laws and in passive methods that would be replicable by someone with low to moderate research and technical expertise. Obviously, in a real-world environment a foreign competitor would not restrict themselves in this way.

About the author: Patrick Murray is the Chief Operating Officer at Tailored Solutions and Consulting, a Washington D.C.-based Security Analytics consultancy. His background includes more than 24 years of experience in development and operation of strategic operations and security programs from startup companies to publically traded technology companies.